process

package
v0.0.0-...-d990535 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 10, 2025 License: Apache-2.0 Imports: 36 Imported by: 0

Documentation

Overview

Package process holds process related files

Package process holds process related files

Index

Constants

View Source
const (
	Snapshotting = iota // Snapshotting describes the state where resolvers are being populated
	Snapshotted         // Snapshotted describes the state where resolvers are fully populated
)

Variables

This section is empty.

Functions

func GetProcessArgv

func GetProcessArgv(pr *model.Process) ([]string, bool)

GetProcessArgv returns the unscrubbed args of the event as an array. Use with caution.

func GetProcessArgv0

func GetProcessArgv0(pr *model.Process) (string, bool)

GetProcessArgv0 returns the first arg of the event and whether the process arguments are truncated

func IsBusybox

func IsBusybox(pathname string) bool

IsBusybox returns true if the pathname matches busybox

func IsKThread

func IsKThread(ppid, pid uint32) bool

IsKThread returns whether given pids are from kthreads

Types

type CacheResolverKey

type CacheResolverKey struct {
	Pid  uint32 // Pid of the related process (namespaced)
	NSID uint64 // NSID represents the pids namespace ID of the related container
}

CacheResolverKey is used to store and retrieve processes from the cache

type EBPFLessResolver

type EBPFLessResolver struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

EBPFLessResolver defines a resolver

func NewEBPFLessResolver

func NewEBPFLessResolver(_ *config.Config, statsdClient statsd.ClientInterface, scrubber *procutil.DataScrubber, opts *ResolverOpts) (*EBPFLessResolver, error)

NewEBPFLessResolver returns a new process resolver

func (*EBPFLessResolver) AddExecEntry

func (p *EBPFLessResolver) AddExecEntry(key CacheResolverKey, ppid uint32, file string, argv []string, argsTruncated bool,
	envs []string, envsTruncated bool, ctrID containerutils.ContainerID, ts uint64, tty string) *model.ProcessCacheEntry

AddExecEntry adds an entry to the local cache and returns the newly created entry

func (*EBPFLessResolver) AddForkEntry

func (p *EBPFLessResolver) AddForkEntry(key CacheResolverKey, ppid uint32, ts uint64) *model.ProcessCacheEntry

AddForkEntry adds an entry to the local cache and returns the newly created entry

func (*EBPFLessResolver) AddProcFSEntry

func (p *EBPFLessResolver) AddProcFSEntry(key CacheResolverKey, ppid uint32, file string, argv []string, argsTruncated bool,
	envs []string, envsTruncated bool, ctrID containerutils.ContainerID, ts uint64, tty string) *model.ProcessCacheEntry

AddProcFSEntry add a procfs entry

func (*EBPFLessResolver) DeleteEntry

func (p *EBPFLessResolver) DeleteEntry(key CacheResolverKey, exitTime time.Time)

DeleteEntry tries to delete an entry in the process cache

func (*EBPFLessResolver) Dump

func (p *EBPFLessResolver) Dump(_ bool) (string, error)

Dump create a temp file and dump the cache

func (*EBPFLessResolver) GetProcessArgvScrubbed

func (p *EBPFLessResolver) GetProcessArgvScrubbed(pr *model.Process) ([]string, bool)

GetProcessArgvScrubbed returns the scrubbed args of the event as an array

func (*EBPFLessResolver) GetProcessEnvp

func (p *EBPFLessResolver) GetProcessEnvp(pr *model.Process) ([]string, bool)

GetProcessEnvp returns the unscrubbed envs of the event with their values. Use with caution.

func (*EBPFLessResolver) GetProcessEnvs

func (p *EBPFLessResolver) GetProcessEnvs(pr *model.Process) ([]string, bool)

GetProcessEnvs returns the envs of the event

func (*EBPFLessResolver) NewEntry

func (p *EBPFLessResolver) NewEntry(key CacheResolverKey, ppid uint32, file string, argv []string, argsTruncated bool,
	envs []string, envsTruncated bool, ctrID containerutils.ContainerID, ts uint64, tty string, source uint64) *model.ProcessCacheEntry

NewEntry returns a new entry

func (*EBPFLessResolver) Resolve

Resolve returns the cache entry for the given pid

func (*EBPFLessResolver) SendStats

func (p *EBPFLessResolver) SendStats() error

SendStats sends process resolver metrics

func (*EBPFLessResolver) Snapshot

func (p *EBPFLessResolver) Snapshot()

Snapshot snapshot existing entryCache

func (*EBPFLessResolver) Start

func (p *EBPFLessResolver) Start(_ context.Context) error

Start starts the resolver

func (*EBPFLessResolver) UpdateGID

func (p *EBPFLessResolver) UpdateGID(key CacheResolverKey, gid int32, egid int32)

UpdateGID updates the credentials of the provided pid

func (*EBPFLessResolver) UpdateUID

func (p *EBPFLessResolver) UpdateUID(key CacheResolverKey, uid int32, euid int32)

UpdateUID updates the credentials of the provided pid

func (*EBPFLessResolver) Walk

func (p *EBPFLessResolver) Walk(callback func(entry *model.ProcessCacheEntry))

Walk iterates through the entire tree and call the provided callback on each entry

type EBPFResolver

type EBPFResolver struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

EBPFResolver resolved process context

func NewEBPFResolver

func NewEBPFResolver(manager *manager.Manager, config *config.Config, statsdClient statsd.ClientInterface,
	scrubber *procutil.DataScrubber, containerResolver *container.Resolver, mountResolver mount.ResolverInterface,
	cgroupResolver *cgroup.Resolver, userGroupResolver *usergroup.Resolver, timeResolver *stime.Resolver,
	pathResolver spath.ResolverInterface, envVarsResolver *envvars.Resolver, opts *ResolverOpts) (*EBPFResolver, error)

NewEBPFResolver returns a new process resolver

func (*EBPFResolver) AddExecEntry

func (p *EBPFResolver) AddExecEntry(event *model.Event) error

AddExecEntry adds an entry to the local cache and returns the newly created entry

func (*EBPFResolver) AddForkEntry

func (p *EBPFResolver) AddForkEntry(event *model.Event, newEntryCb func(*model.ProcessCacheEntry, error)) error

AddForkEntry adds an entry to the local cache and returns the newly created entry

func (*EBPFResolver) ApplyBootTime

func (p *EBPFResolver) ApplyBootTime(entry *model.ProcessCacheEntry)

ApplyBootTime realign timestamp from the boot time

func (*EBPFResolver) ApplyExitEntry

func (p *EBPFResolver) ApplyExitEntry(event *model.Event, newEntryCb func(*model.ProcessCacheEntry, error)) bool

ApplyExitEntry delete entry from the local cache if present

func (*EBPFResolver) CountBrokenLineage

func (p *EBPFResolver) CountBrokenLineage()

CountBrokenLineage increments the counter of broken lineage

func (*EBPFResolver) DeleteEntry

func (p *EBPFResolver) DeleteEntry(pid uint32, exitTime time.Time)

DeleteEntry tries to delete an entry in the process cache

func (*EBPFResolver) DequeueExited

func (p *EBPFResolver) DequeueExited()

DequeueExited dequeue exited process

func (*EBPFResolver) FetchAWSSecurityCredentials

func (p *EBPFResolver) FetchAWSSecurityCredentials(e *model.Event) []model.AWSSecurityCredentials

FetchAWSSecurityCredentials returns the list of AWS Security Credentials valid at the time of the event, and prunes expired entries

func (*EBPFResolver) Get

Get returns the cache entry for a specified pid

func (*EBPFResolver) GetProcessArgvScrubbed

func (p *EBPFResolver) GetProcessArgvScrubbed(pr *model.Process) ([]string, bool)

GetProcessArgvScrubbed returns the scrubbed args of the event as an array

func (*EBPFResolver) GetProcessEnvp

func (p *EBPFResolver) GetProcessEnvp(pr *model.Process) ([]string, bool)

GetProcessEnvp returns the unscrubbed envs of the event with their values. Use with caution.

func (*EBPFResolver) GetProcessEnvs

func (p *EBPFResolver) GetProcessEnvs(pr *model.Process) ([]string, bool)

GetProcessEnvs returns the envs of the event

func (*EBPFResolver) NewProcessCacheEntry

func (p *EBPFResolver) NewProcessCacheEntry(pidContext model.PIDContext) *model.ProcessCacheEntry

NewProcessCacheEntry returns a new process cache entry

func (*EBPFResolver) Resolve

func (p *EBPFResolver) Resolve(pid, tid uint32, inode uint64, useProcFS bool, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry

Resolve returns the cache entry for the given pid

func (*EBPFResolver) ResolveFromCache

func (p *EBPFResolver) ResolveFromCache(pid, tid uint32, inode uint64) *model.ProcessCacheEntry

ResolveFromCache resolves cache entry from the cache

func (*EBPFResolver) ResolveFromKernelMaps

func (p *EBPFResolver) ResolveFromKernelMaps(pid, tid uint32, inode uint64, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry

ResolveFromKernelMaps resolves the entry from the kernel maps

func (*EBPFResolver) ResolveFromProcfs

func (p *EBPFResolver) ResolveFromProcfs(pid uint32, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry

ResolveFromProcfs resolves the entry from procfs

func (*EBPFResolver) ResolveNewProcessCacheEntry

func (p *EBPFResolver) ResolveNewProcessCacheEntry(entry *model.ProcessCacheEntry, ctrCtx *model.ContainerContext) error

ResolveNewProcessCacheEntry resolves the context fields of a new process cache entry parsed from kernel data

func (*EBPFResolver) SendStats

func (p *EBPFResolver) SendStats() error

SendStats sends process resolver metrics

func (*EBPFResolver) SetProcessArgs

func (p *EBPFResolver) SetProcessArgs(pce *model.ProcessCacheEntry)

SetProcessArgs set arguments to cache entry

func (*EBPFResolver) SetProcessEnvs

func (p *EBPFResolver) SetProcessEnvs(pce *model.ProcessCacheEntry)

SetProcessEnvs set envs to cache entry

func (*EBPFResolver) SetProcessFilesystem

func (p *EBPFResolver) SetProcessFilesystem(entry *model.ProcessCacheEntry) (string, error)

SetProcessFilesystem resolves process file system

func (*EBPFResolver) SetProcessPath

func (p *EBPFResolver) SetProcessPath(fileEvent *model.FileEvent, pce *model.ProcessCacheEntry, ctrCtx *model.ContainerContext) (string, error)

SetProcessPath resolves process file path

func (p *EBPFResolver) SetProcessSymlink(entry *model.ProcessCacheEntry)

SetProcessSymlink resolves process file symlink path

func (*EBPFResolver) SetProcessTTY

func (p *EBPFResolver) SetProcessTTY(pce *model.ProcessCacheEntry) string

SetProcessTTY resolves TTY and cache the result

func (*EBPFResolver) SetProcessUsersGroups

func (p *EBPFResolver) SetProcessUsersGroups(pce *model.ProcessCacheEntry)

SetProcessUsersGroups resolves and set users and groups

func (*EBPFResolver) SetState

func (p *EBPFResolver) SetState(state int64)

SetState sets the process resolver state

func (*EBPFResolver) Start

func (p *EBPFResolver) Start(ctx context.Context) error

Start starts the resolver

func (*EBPFResolver) SyncCache

func (p *EBPFResolver) SyncCache(proc *process.Process)

SyncCache snapshots /proc for the provided pid.

func (*EBPFResolver) ToDot

func (p *EBPFResolver) ToDot(withArgs bool) (string, error)

ToDot create a temp file and dump the cache

func (*EBPFResolver) ToJSON

func (p *EBPFResolver) ToJSON(raw bool) ([]byte, error)

ToJSON return a json version of the cache

func (*EBPFResolver) UpdateAWSSecurityCredentials

func (p *EBPFResolver) UpdateAWSSecurityCredentials(pid uint32, e *model.Event)

UpdateAWSSecurityCredentials updates the list of AWS Security Credentials

func (*EBPFResolver) UpdateArgsEnvs

func (p *EBPFResolver) UpdateArgsEnvs(event *model.ArgsEnvsEvent)

UpdateArgsEnvs updates arguments or environment variables of the given id

func (*EBPFResolver) UpdateCapset

func (p *EBPFResolver) UpdateCapset(pid uint32, e *model.Event)

UpdateCapset updates the credentials of the provided pid

func (*EBPFResolver) UpdateGID

func (p *EBPFResolver) UpdateGID(pid uint32, e *model.Event)

UpdateGID updates the credentials of the provided pid

func (*EBPFResolver) UpdateLoginUID

func (p *EBPFResolver) UpdateLoginUID(pid uint32, e *model.Event)

UpdateLoginUID updates the AUID of the provided pid

func (*EBPFResolver) UpdateUID

func (p *EBPFResolver) UpdateUID(pid uint32, e *model.Event)

UpdateUID updates the credentials of the provided pid

func (*EBPFResolver) Walk

func (p *EBPFResolver) Walk(callback func(entry *model.ProcessCacheEntry))

Walk iterates through the entire tree and call the provided callback on each entry

type Pool

type Pool struct {
	// contains filtered or unexported fields
}

Pool defines a pool for process entry allocations

func NewProcessCacheEntryPool

func NewProcessCacheEntryPool(onRelease func()) *Pool

NewProcessCacheEntryPool returns a new Pool

func (*Pool) Get

func (p *Pool) Get() *model.ProcessCacheEntry

Get returns a cache entry

func (*Pool) Put

func (p *Pool) Put(pce *model.ProcessCacheEntry)

Put returns a cache entry

type ResolverOpts

type ResolverOpts struct {
	// contains filtered or unexported fields
}

ResolverOpts options of resolver

func NewResolverOpts

func NewResolverOpts() *ResolverOpts

NewResolverOpts returns a new set of process resolver options

func (*ResolverOpts) WithEnvsResolutionEnabled

func (o *ResolverOpts) WithEnvsResolutionEnabled() *ResolverOpts

WithEnvsResolutionEnabled enables the envs resolution

func (*ResolverOpts) WithEnvsValue

func (o *ResolverOpts) WithEnvsValue(envsWithValue []string) *ResolverOpts

WithEnvsValue specifies envs with value

func (*ResolverOpts) WithTTYFallbackEnabled

func (o *ResolverOpts) WithTTYFallbackEnabled() *ResolverOpts

WithTTYFallbackEnabled enables the TTY fallback

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL